Monthly Archives: May 2014

Anton Melnikov Publisher – WARNING

adware, digital signature

Just a short post before getting back to work. I found a software download this morning that bundles some unwanted software. The download is digitally signed by Anton Melnikov. The problem with the Anton Melnikov download is that is bundles lots of unwanted software, such as “SaveOn”, “Y**tubeAdBlocker”, “SW-Booster”, “SW-Sustainer”, etc.

Windows will display Anton Melnikov as the publisher when running the file. The program name is “Installer for TopApp software“.

Anton Melnikov publisher - Installer for TopApp software

You can also check the digital signature under the file’s properties. The certificate says Anton Melnikov is located in Kiev, Ukraine.

anton-melnikov-digital-signature

anton-melnikov-kiev-ukraine

Well, hope this blog post saved you a few hours by avoiding those unwanted programs. There are after all more interesting things to do than cleaning a computer from adware.

Did you also find a file signed by Anton Melnikov? Where did you find it and what kind of download was it? Thanks for sharing.

Productivitypro Ads – Removal Instruction

adware, freefixer,

Getting bombarded with ads labeled “productivitypro Ads” and a large sidebar with search results called “Topic Torch by productivitypro” like in the screenshots below?

productivitypro ads

Topic Torch by productivitypro

productivitypro will also appear in your web browser’s add-on list. It appears as “productivitypro 1.0.1” in Firefox:

productivitypro 1.0.1

So, how about the removal. Simply check the productivitypro files in FreeFixer for removal:

productivitypro Internet Explorer add-on productivitypro firefox extension

Out of curiosity, how did you get the productivitypro adware on your computer? Please let me know by posting a comment.

WiseManager’s CfjdkPfhrU.exe is a Bitcoin Miner – Removal Instructions

freefixer, Uncategorized,

I found yet another Bitcoin miner this morning. You might have spotted it because of a new file called WiseManager.exe running at startup or the high CPU usage by CfjdkPfhrU.exe as shown in the screenshot of the Task Manager below:

CfjdkPfhrU.exe CPU Setup Task Manager

The Wise Manager files are located in C:\Users\%USER%\AppData\Roaming\WiseManager\ and C:\Users\%USER%\AppData\Roaming\WiseManager\CGMInerDLLs.

wisemanager cgminerdlls folder

Currently no anti-virus detects the two main files, WiseManager.exe and CfjdkPfhrU.exe when I uploaded them to VirusTotal, but I assume the scanners will start picking them up sooner than later. WiseManager.exe is digitally signed by Moresta Holdings LimitedCfjdkPfhrU.exe is unsigned.

By the way, CfjdkPfhrU.exe sounds like it been given a random file name. Does your computer show another file hogging the CPU?

Removing WiseManger.exe and CfjdkPfhrU.exe is easy with FreeFixer. Just check WiseManager.exe and CfjdkPfhrU.exe for removal and click the Fix button and the problem is solved.

wisemanager.exe startup in the roaming folder wisemanager.exe and cfjdkPfhrU.exe processes

Now you can remove the C:\Users\%USER%\AppData\Roaming\WiseManager\ folder manually in Explorer.

I found the Wise Manager Bitcoin miner while testing a free download. WiseManager was bundled inside the download. How did you get Wise Manager and CfjdkPfhrU.exe on your computer?

Daneil Jemoch Publisher – WARNING!

digital signature, ,

Just a quick post before starting todays programming on the FreeFixer tool. This is the second time I spot a file digitally signed by Daneil Jemoch that bundles lots of unwanted programs. Though I should warn you and hopefully save you from some unnecessary adware cleaning. You can see Daneil Jemoch appear as the publisher when running the file as shown below.

Daneil Jemoch Publisher - Excellent4App Daneil Jemoch publisher

You can also check who signed a file by checking the digital signature tab. The screenshot below shows the Daneil Jemoch certificate. From the certificate info we can see that Daneil Jemoch appears to be located in Kiev, Ukraine.

daniel-jemoch-digital-signature

Daneil Jemoch, Kiev, Ukraine

The anti-virus programs have a decent detection rate for the Daneil Jemoch file:

Daneil Jemoch virus total

The anti-virus scanners refers to the file as Graftor, MultiPlug and InstalleRex.

Where did you find the  Daneil Jemoch signed file?

Hope you found this post useful. Please let me know by posting a comment.

PEV.DAT has stopped working – DDS Error – Any workaround?

Uncategorized

One of the tools that I’m using quite often is DDS. It is a used to generate a log file containing the running processes, services, search settings, browser plugins, etc. Basically the same information as the items that appears in the FreeFixer log. From time to time I’m getting an error saying “PEV.DAT has stopped working” when running DDS and I’m wonder if anyone out there know of a work-around, or if there’s a more recent DDS download that solves this bug?

PEV.DAT has stopped working - DDS error message

Boris Burkin Publisher – WARNING

adware, digital signature, trojan, , , ,

Just a short post before I call it a day. I found yet another file that bundled a bunch of unwanted programs, and the file was signed by Boris Burkin. Typically you’d see the Boris Burkin publisher name appear when double-clicking on the file:

Boris Burkin Publisher

You will also see Boris Burkin appear if you check the file’s digital signature.

Boris Burkin Digital Certificate

Boris Burkin, kyiv, kyivska

If you are considering to run the Boris Burkin signed file, I’ll advice you not to. Delete it instead. Just check out detection list by some of the anti-virus program:

boris-burkin-virus-total

The anti-virus program calls the file Trojan.AntiFW, InstalleRex, Adware.Downware, Win32.InfoLeak, Downloader.AdLoad, etc.

Did you also find a file digitally signed by Boris Burkin? Where did you find it and are the anti-virus programs detecting it? Please share in the comments below.

Clovermedia SL Digital Signature – WARNING!

Uncategorized

Just got home after having an espresso with my friend Jon Kågström and started to check out a bunch of suspicious downloads. One of the downloads was signed by the Clovermedia SL publisher. If you came here wondering if the file is safe or not, I think you should avoid running the Clovermedia file.

Clovermedia SL Publisher

You can also check who signed a file by looking under the file’s properties. The following screenshots shows how the Clovermedia SL certificate appears under the Digital Signature tab.

Clovermedia Digital Signature

There is also additional info available, such as that Clovermedia SL is located on Tenerife.

Clovermedia certificate information

Anyway, the problem with the Clovermedia file is that it bundles lots of potentially unwanted programs, such as MediaPlayer Plus, Freeven, etc. Many of the anti-virus programs are well aware of this, and flags the Clovermedia file with names such as  DomaIQ.

Clovermedia virus total scan

Hope this helped you avoid some adware.

Did you also find a Clovermedia file. Where did you download it?

 

HARASAN PRAPAPON Digital Signature – WARNING!

digital signature

I was looking around for some adware to install on my lab machine to test a new cleaning feature that I’m working on for the FreeFixer tool, when I stumbled on a file digitally signed by HARASAN PRAPAPON. I’m writing this post to warn you about the file. Typically the files is named after some popular TV-series or movie.

If you are hesitating with the following UAC prompt saying HARASAN PRAPAPON is the publisher, I strongly suggest you click the No button.

HARASAN PRAPAPON publisher

Tip: You can also check a digital signature by right-clicking on a file -> Properties -> Digital Signature.

HARASAN PRAPAPON digital signature

So what’s the problem with the HARASAN PRAPAPON signed file? Here’s the detection results, which should convince you:

  • Malwarebytes PUP.Optional.OneClickDownloader.A
  • Kingsoft Win32.Troj.Generic.a.(kcloud)

I’m sure the other anti-virus programs will pick up this file sooner than later.

Did you also find a file signed by HARASAN PRAPAPON? What are the anti-virus programs calling it? (Hint: upload it to www.virustotal.com)

WARP INSTALLER Publisher – Don’t run that file

adware, , , ,

To save you from some adware cleaning, I just want to give you the heads up on files that are digitally signed by WARP INSTALLER. Most versions of Windows will display the publisher when double-clicking on a downloaded file, as shown in the screenshot below.

WARP INSTALLER Publisher

If you get this prompt about Premium Installer by WARP INSTALLER, click No.

You can also see check the digital signature, by looking under digital signature tab on a file’s properties.

WARP INSTALLER Digital Signature

So, why should you avoid the WARP INSTALLER files? StartDownload.exe, which is digitally signed by WARP INSTALLER, is detected by 15 of the 50 anti-virus programs! Here are some of the detection names:

  • ESET-NOD32 a variant of Win32/AdWare.iBryte.AD
  • F-Secure Gen:Variant.Application.Bundler
  • Kingsoft Win32.Troj.Generic.a.(kcloud)
  • Malwarebytes Buy PUP.Optional.OptimumInstaller.A

Did you also download one of the WARP INSTALLER signed files? Where did you find it?

Findopolis Ads Removal

adware, freefixer

Getting bombarded by Findopolis ads like in the screenshot below. No problem, I’ll show how to remove the Findopolis adware. Read on…Findopolis ads

The Findopolis adware has been are for some time, at least from the beginning of February 2014, but it is still being distributed. So I though I should write a few lines about it. I found Findopolis yesterday when a pop-up claimed that my computer needed a “Video Upgrade”.

All you need to do to remove Findopolis is to check the Findopolis files for removal in FreeFixer and click the Fix button.

findopolisbho.dll - Check this file for removal

Here’s a video showing demonstrating the removal:

Hope you found this useful.

How did you get Findopolis on your machine? Please share your story in a comment below.